VDE-2021-006 | CERT@VDE

2021-02-16 15:53 (CET) VDE-2021-006

Pepperl+Fuchs: Multiple Products - Vulnerability may allow remote attackers to cause a Denial Of Service

Share: Email | Twitter

ID

VDE-2021-006

Published

2021-02-16 15:53 (CET)

Last update

2021-02-16 15:53 (CET)

Vendor(s)

Pepperl+Fuchs SE

Summary

Critical vulnerability has been discovered in the utilized component PROFINET IO Device by Hilscher Gesellschaft für Systemautomation mbH.
The impact of the vulnerability on the affected device is that it can

no longer perform acyclic requests
may drop all established cyclic connections may
disappear completely from the network

For more information see advisory by Hilscher:
https://kb.hilscher.com/display/ISMS/2020-12-03+Denial+of+Service+vulnerability+in+PROFINET+IO+Device

CVE ID

CVE-2021-20986

Last Update:

17. November 2022 13:09

Severity

7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Weakness

Out-of-bounds Write (CWE-787)

Summary

A Denial of Service vulnerability was found in Hilscher PROFINET IO Device V3 in versions prior to V3.14.0.7. This may lead to unexpected loss of cyclic communication or interruption of acyclic communication.

Details

nvd.nist.gov

Impact

Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may cause a cause a Denial Of Service of the product.

Solution

Mitigation

An external protective measure is required.

Minimize network exposure for affected products and ensure that they are not accessible via the Internet.
Isolate affected products from the corporate network.
If remote access is required, use secure methods such as virtual private networks (VPNs).

Reported by

Hilscher Gesellschaft für Systemautomation mbH